Add support for storing in-toto Attestations outside the log. (sigstore#321)

This adds an "Attestation" method to the entry interface. Entries can
return an attestation that they would like to store.

The attestations are currently stored in GCS, but it supports any blob store.
The feature is turned off with a flag, and we can set a max size as well.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Author: dlorenc

cmd/rekor-cli/app/pflags.go

@@ -235,7 +235,7 @@ func CreateIntotoFromPFlags() (models.ProposedEntry, error) {
 	re := intoto_v001.V001Entry{
 		IntotoObj: models.IntotoV001Schema{
 			Content: &models.IntotoV001SchemaContent{
-				Envelope: swag.String(string(b)),
+				Envelope: string(b),
 			},
 			PublicKey: &kb,
 		},

cmd/rekor-server/app/root.go

@@ -69,6 +69,10 @@ func init() {
 	rootCmd.PersistentFlags().String("redis_server.address", "127.0.0.1", "Redis server address")
 	rootCmd.PersistentFlags().Uint16("redis_server.port", 6379, "Redis server port")
 
+	rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage")
+	rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket")
+	rootCmd.PersistentFlags().Int("max_attestation_size", 100*1024, "max size for attestation storage, in bytes")
+
 	if err := viper.BindPFlags(rootCmd.PersistentFlags()); err != nil {
 		log.Logger.Fatal(err)
 	}

docker-compose.yml

@@ -87,9 +87,13 @@ services:
       "--redis_server.port=6379",
       "--rekor_server.address=0.0.0.0",
       "--rekor_server.signer=memory",
+      "--enable_attestation_storage",
+      "--attestation_storage_bucket=file:///var/run/attestations",
       # Uncomment this for production logging
       # "--log_type=prod",
       ]
+    volumes:
+    - "/var/run/attestations:/var/run/attestations"
     restart: always # keep the server running
     ports:
       - "3000:3000"

go.mod

@@ -17,6 +17,7 @@ require (
 	github.com/go-openapi/swag v0.19.15
 	github.com/go-openapi/validate v0.20.2
 	github.com/go-playground/validator v9.31.0+incompatible
+	github.com/google/go-cmp v0.5.5
 	github.com/google/rpmpack v0.0.0-20210107155803-d6befbf05148
 	github.com/google/trillian v1.3.14-0.20210413093047-5e12fb368c8f
 	github.com/in-toto/in-toto-golang v0.1.1-0.20210528150343-f7dc21abaccf

pkg/api/api.go

@@ -34,6 +34,7 @@ import (
 	"github.com/sigstore/rekor/pkg/log"
 	pki "github.com/sigstore/rekor/pkg/pki/x509"
 	"github.com/sigstore/rekor/pkg/signer"
+	"github.com/sigstore/rekor/pkg/storage"
 	"github.com/sigstore/sigstore/pkg/signature"
 )
 
@@ -146,8 +147,9 @@ func NewAPI() (*API, error) {
 }
 
 var (
-	api         *API
-	redisClient radix.Client
+	api           *API
+	redisClient   radix.Client
+	storageClient storage.AttestationStorage
 )
 
 func ConfigureAPI() {
@@ -163,4 +165,11 @@ func ConfigureAPI() {
 			log.Logger.Panic(err)
 		}
 	}
+
+	if viper.GetBool("enable_attestation_storage") {
+		storageClient, err = storage.NewAttestationStorage()
+		if err != nil {
+			log.Logger.Panic(err)
+		}
+	}
 }

pkg/api/entries.go

@@ -160,6 +160,20 @@ func CreateLogEntryHandler(params entries.CreateLogEntryParams) middleware.Respo
 		}()
 	}
 
+	if viper.GetBool("enable_attestation_storage") {
+
+		go func() {
+			typ, attestation := entry.Attestation()
+			if typ == "" {
+				log.RequestIDLogger(params.HTTPRequest).Infof("no attestation for %s", uuid)
+				return
+			}
+			if err := storeAttestation(context.Background(), uuid, typ, attestation); err != nil {
+				log.RequestIDLogger(params.HTTPRequest).Errorf("error storing attestation: %s", err)
+			}
+		}()
+	}
+
 	payload, err := logEntryAnon.MarshalBinary()
 	if err != nil {
 		return handleRekorAPIError(params, http.StatusInternalServerError, fmt.Errorf("signing error: %v", err), signingError)

pkg/api/error.go

@@ -89,9 +89,10 @@ func handleRekorAPIError(params interface{}, code int, err error, message string
 			return entries.NewGetLogEntryByUUIDDefault(code).WithPayload(errorMsg(message, code))
 		}
 	case entries.CreateLogEntryParams:
-		logMsg(params.HTTPRequest)
 		switch code {
+		// We treat "duplicate entry" as an error, but it's not really an error, so we don't need to log it as one.
 		case http.StatusBadRequest:
+			logMsg(params.HTTPRequest)
 			return entries.NewCreateLogEntryBadRequest().WithPayload(errorMsg(message, code))
 		case http.StatusConflict:
 			resp := entries.NewCreateLogEntryConflict().WithPayload(errorMsg(message, code))

pkg/api/index.go

@@ -92,3 +92,7 @@ func SearchIndexNotImplementedHandler(params index.SearchIndexParams) middleware
 func addToIndex(ctx context.Context, key, value string) error {
 	return redisClient.Do(ctx, radix.Cmd(nil, "LPUSH", key, value))
 }
+
+func storeAttestation(ctx context.Context, uuid, attestationType string, attestation []byte) error {
+	return storageClient.StoreAttestation(ctx, uuid, attestationType, attestation)
+}